Is the bank liable under Regulation E in either of these debit card scam scenarios?

My bank recently encountered two incidents involving Regulation E claims and I am unsure if the bank handled them correctly. In the first instance, our customer used a debit card to buy $1,000 in gift cards at a store with her debit card. She then provided the gift cards to another person, who turned out to be a scammer. In the second instance, the bank customer received a spoofed call appearing to be from the bank, and the customer handed over her debit card PIN and the password information to access her account online. The scammer used the information to take several thousand dollars from the account. Is the bank liable under Regulation E in either of these scenarios?

In the first situation, the bank has no Regulation E liability. Authorization is the key. In this scenario, the bank is not liable because, even though fraud was involved, the consumer clearly authorized the transaction. Moreover, the bank would not have been in a position to detect or stop the transaction.

The second scenario is different because the customer never authorized the transactions. Under §1005.6 of Regulation, consumers generally are not liable for unauthorized transactions (with some conditions and exceptions). Moreover, the Commentary to §1005.2(m)(3 states, “An unauthorized EFT includes a transfer initiated by a person who obtained the access device through fraud or robbery.” In this case, the scammer obtained the access device (PIN and password) through fraud, unlike the first scenario where the scammer never obtained the access information or accessed the account. (February 2020)

Is the bank liable under Regulation E in either of these debit card scam scenarios?

Compliance Hotline